Security News > 2023 > October > RCE exploit for Wyze Cam v3 publicly released, patch now
A security researcher has published a proof-of-concept exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices.
Security researcher Peter Geissler recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices.
The exploit released by Geissler on GitHub chains these two flaws to give attackers an interactive Linux root shell, turning vulnerable Wyze v3 cameras into persistent backdoors and allowing attackers to pivot to other devices in the network.
In a private discussion, Geissler explained to BleepingComputer that he made his exploit available to the public before most Wyze users could apply the patch to express his disapproval of Wyze's patching strategies.
While Geissler admits that it is common for vendors to patch a bug that breaks exploit chains before the competition, he accuses Wyze of singling out that specific device to avoid negative PR from the competition, as the bug was allegedly not fixed in other devices.
Wyze told another security researcher that they were only notified of the Wyze Cam v3 bug a few days before the competition and are now investigating whether it is in other devices' firmware.
News URL
Related news
- Exploit for CrushFTP RCE chain released, patch now (source)
- Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit (source)
- VMware warns admins of public exploit for vRealize RCE flaw (source)
- Citrix urges 'immediate; patch for critical NetScaler bug as exploit POC made public (source)
- Act Now: VMware Releases Patch for Critical vCenter Server RCE Vulnerability (source)
- CISA warns of actively exploited Juniper pre-auth RCE exploit chain (source)
- Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits (source)